• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item7558: Security Alert CVE-2014-7236: Remote Perl code execution with query string to debug TWiki plugins

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Closed   patch 6.0.1

Edit Form Data

Reported By:
Applies To:
Current State:
Waiting For:
Target Release:
Released In:



My name is Netanel Rubin, I work as a vulnerability researcher at Check Point Software Technologies.

This is a critical vulnerability report for an issue I discovered in the TWiki platform. The successful exploitation of the vulnerability allows an attacker to execute Perl code unauthenticated. The vulnerability has been discovered in a fully patched TWiki (ver 6.0.0).

We would like to report the complete vulnerability description over a private channel. Please contact us at netanelr@checkpointNOSPAM.com and shahartal@checkpointNOSPAM.com (my team leader).
If possible, we would also like to coordinate the public disclosure with you.

Best regards,

-- TWiki:Main/NetanelRubin - 2014-09-30

Mail sent. Thanks!

Our security process is documented at TWiki:Codev.TWikiSecurityAlertProcess.

-- TWiki:Main.PeterThoeny - 2014-09-30

Thank you Netanel, we received the alert and will follow our documented process.

  • The plugin handler issue will be tracked here
  • The file upload issue is tracked at Item7560

-- TWiki:Main.PeterThoeny - 2014-10-01

Now fixed in SVN trunk and 6.0 branch


--- TWiki/Plugins.pm.save1   2014-01-09 02:10:56.000000000 -0500
+++ TWiki/Plugins.pm   2014-10-01 20:30:36.000000000 -0400
@@ -186,8 +186,11 @@
     unless( $allDisabled ) {
         if ( $query && defined( $query->param( 'debugenableplugins' ))) {
-            @pluginList = split( /[,\s]+/,
-                                 $query->param( 'debugenableplugins' ));
+            @pluginList =
+              grep { /Plugin$/ }
+              map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+              split( /[,\s]+/, $query->param( 'debugenableplugins' ));
         } else {
             if( $TWiki::cfg{PluginsOrder} ) {
                 foreach my $plugin( split( /[,\s]+/,

-- TWiki:Main.PeterThoeny - 2014-10-02

Summary Security Alert CVE-2014-7236: Remote Perl code execution with query string to debug TWiki plugins
ReportedBy TWiki:Main.NetanelRubin
Codebase 6.0.0
SVN Range TWiki-6.0.1-trunk, Mon, 29 Sep 2014, build 28107
AppliesTo Engine

Priority Urgent
CurrentState Closed

Checkins TWikirev:28129 TWikirev:28130
TargetRelease patch
ReleasedIn 6.0.1
Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r8 - 2014-10-11 - PeterThoeny
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback